FreeRDP
Loading...
Searching...
No Matches
nego.c
1
23#include <freerdp/config.h>
24
25#include <winpr/crt.h>
26#include <winpr/assert.h>
27#include <winpr/stream.h>
28
29#include <freerdp/log.h>
30
31#include "tpkt.h"
32
33#include "nego.h"
34#include "aad.h"
35
36#include "transport.h"
37
38#define NEGO_TAG FREERDP_TAG("core.nego")
39
40struct rdp_nego
41{
42 UINT16 port;
43 UINT32 flags;
44 const char* hostname;
45 char* cookie;
46 BYTE* RoutingToken;
47 DWORD RoutingTokenLength;
48 BOOL SendPreconnectionPdu;
49 UINT32 PreconnectionId;
50 const char* PreconnectionBlob;
51
52 NEGO_STATE state;
53 BOOL TcpConnected;
54 BOOL SecurityConnected;
55 UINT32 CookieMaxLength;
56
57 BOOL sendNegoData;
58 UINT32 SelectedProtocol;
59 UINT32 RequestedProtocols;
60 BOOL NegotiateSecurityLayer;
61 BOOL EnabledProtocols[32];
62 BOOL RestrictedAdminModeRequired; /* Client-side */
63 BOOL RestrictedAdminModeSupported; /* Server-side */
64 BOOL RemoteCredsGuardRequired;
65 BOOL RemoteCredsGuardActive;
66 BOOL RemoteCredsGuardSupported;
67 BOOL GatewayEnabled;
68 BOOL GatewayBypassLocal;
69 BOOL ConnectChildSession;
70
71 rdpTransport* transport;
72 wLog* log;
73};
74
75static const char* nego_state_string(NEGO_STATE state)
76{
77 static const char* const NEGO_STATE_STRINGS[] = { "NEGO_STATE_INITIAL", "NEGO_STATE_RDSTLS",
78 "NEGO_STATE_AAD", "NEGO_STATE_EXT",
79 "NEGO_STATE_NLA", "NEGO_STATE_TLS",
80 "NEGO_STATE_RDP", "NEGO_STATE_FAIL",
81 "NEGO_STATE_FINAL", "NEGO_STATE_INVALID" };
82 if (state >= ARRAYSIZE(NEGO_STATE_STRINGS))
83 return NEGO_STATE_STRINGS[ARRAYSIZE(NEGO_STATE_STRINGS) - 1];
84 return NEGO_STATE_STRINGS[state];
85}
86
87static BOOL nego_tcp_connect(rdpNego* nego);
88static BOOL nego_transport_connect(rdpNego* nego);
89static BOOL nego_transport_disconnect(rdpNego* nego);
90static BOOL nego_security_connect(rdpNego* nego);
91static BOOL nego_send_preconnection_pdu(rdpNego* nego);
92static BOOL nego_recv_response(rdpNego* nego);
93static void nego_send(rdpNego* nego);
94static BOOL nego_process_negotiation_request(rdpNego* nego, wStream* s);
95static BOOL nego_process_negotiation_response(rdpNego* nego, wStream* s);
96static BOOL nego_process_negotiation_failure(rdpNego* nego, wStream* s);
97
98BOOL nego_update_settings_from_state(rdpNego* nego, rdpSettings* settings)
99{
100 WINPR_ASSERT(nego);
101
102 /* update settings with negotiated protocol security */
103 return freerdp_settings_set_uint32(settings, FreeRDP_RequestedProtocols,
104 nego->RequestedProtocols) &&
105 freerdp_settings_set_uint32(settings, FreeRDP_SelectedProtocol,
106 nego->SelectedProtocol) &&
107 freerdp_settings_set_uint32(settings, FreeRDP_NegotiationFlags, nego->flags);
108}
109
118BOOL nego_connect(rdpNego* nego)
119{
120 rdpContext* context = nullptr;
121 rdpSettings* settings = nullptr;
122 WINPR_ASSERT(nego);
123 context = transport_get_context(nego->transport);
124 WINPR_ASSERT(context);
125 settings = context->settings;
126 WINPR_ASSERT(settings);
127
128 if (nego_get_state(nego) == NEGO_STATE_INITIAL)
129 {
130 if (nego->EnabledProtocols[PROTOCOL_RDSAAD])
131 {
132 nego_set_state(nego, NEGO_STATE_AAD);
133 }
134 else if (nego->EnabledProtocols[PROTOCOL_RDSTLS])
135 {
136 nego_set_state(nego, NEGO_STATE_RDSTLS);
137 }
138 else if (nego->EnabledProtocols[PROTOCOL_HYBRID_EX])
139 {
140 nego_set_state(nego, NEGO_STATE_EXT);
141 }
142 else if (nego->EnabledProtocols[PROTOCOL_HYBRID])
143 {
144 nego_set_state(nego, NEGO_STATE_NLA);
145 }
146 else if (nego->EnabledProtocols[PROTOCOL_SSL])
147 {
148 nego_set_state(nego, NEGO_STATE_TLS);
149 }
150 else if (nego->EnabledProtocols[PROTOCOL_RDP])
151 {
152 nego_set_state(nego, NEGO_STATE_RDP);
153 }
154 else
155 {
156 WLog_Print(nego->log, WLOG_ERROR, "No security protocol is enabled");
157 nego_set_state(nego, NEGO_STATE_FAIL);
158 return FALSE;
159 }
160
161 if (!nego->NegotiateSecurityLayer)
162 {
163 WLog_Print(nego->log, WLOG_DEBUG, "Security Layer Negotiation is disabled");
164 /* attempt only the highest enabled protocol (see nego_attempt_*) */
165 nego->EnabledProtocols[PROTOCOL_RDSAAD] = FALSE;
166 nego->EnabledProtocols[PROTOCOL_HYBRID] = FALSE;
167 nego->EnabledProtocols[PROTOCOL_SSL] = FALSE;
168 nego->EnabledProtocols[PROTOCOL_RDP] = FALSE;
169 nego->EnabledProtocols[PROTOCOL_HYBRID_EX] = FALSE;
170 nego->EnabledProtocols[PROTOCOL_RDSTLS] = FALSE;
171
172 UINT32 SelectedProtocol = 0;
173 switch (nego_get_state(nego))
174 {
175 case NEGO_STATE_AAD:
176 nego->EnabledProtocols[PROTOCOL_RDSAAD] = TRUE;
177 SelectedProtocol = PROTOCOL_RDSAAD;
178 break;
179 case NEGO_STATE_RDSTLS:
180 nego->EnabledProtocols[PROTOCOL_RDSTLS] = TRUE;
181 SelectedProtocol = PROTOCOL_RDSTLS;
182 break;
183 case NEGO_STATE_EXT:
184 nego->EnabledProtocols[PROTOCOL_HYBRID_EX] = TRUE;
185 nego->EnabledProtocols[PROTOCOL_HYBRID] = TRUE;
186 SelectedProtocol = PROTOCOL_HYBRID_EX;
187 break;
188 case NEGO_STATE_NLA:
189 nego->EnabledProtocols[PROTOCOL_HYBRID] = TRUE;
190 SelectedProtocol = PROTOCOL_HYBRID;
191 break;
192 case NEGO_STATE_TLS:
193 nego->EnabledProtocols[PROTOCOL_SSL] = TRUE;
194 SelectedProtocol = PROTOCOL_SSL;
195 break;
196 case NEGO_STATE_RDP:
197 nego->EnabledProtocols[PROTOCOL_RDP] = TRUE;
198 SelectedProtocol = PROTOCOL_RDP;
199 break;
200 default:
201 WLog_Print(nego->log, WLOG_ERROR, "Invalid NEGO state 0x%08" PRIx32,
202 nego_get_state(nego));
203 return FALSE;
204 }
205 if (!nego_set_selected_protocol(nego, SelectedProtocol))
206 return FALSE;
207 }
208
209 if (!nego_tcp_connect(nego))
210 {
211 WLog_Print(nego->log, WLOG_ERROR, "Failed to connect");
212 return FALSE;
213 }
214
215 if (nego->SendPreconnectionPdu)
216 {
217 if (!nego_send_preconnection_pdu(nego))
218 {
219 WLog_Print(nego->log, WLOG_ERROR, "Failed to send preconnection pdu");
220 nego_set_state(nego, NEGO_STATE_FINAL);
221 return FALSE;
222 }
223 }
224 }
225
226 if (!nego->NegotiateSecurityLayer)
227 {
228 nego_set_state(nego, NEGO_STATE_FINAL);
229 }
230 else
231 {
232 do
233 {
234 WLog_Print(nego->log, WLOG_DEBUG, "state: %s", nego_state_string(nego_get_state(nego)));
235 nego_send(nego);
236
237 if (nego_get_state(nego) == NEGO_STATE_FAIL)
238 {
239 if (freerdp_get_last_error(transport_get_context(nego->transport)) ==
240 FREERDP_ERROR_SUCCESS)
241 WLog_Print(nego->log, WLOG_ERROR, "Protocol Security Negotiation Failure");
242
243 nego_set_state(nego, NEGO_STATE_FINAL);
244 return FALSE;
245 }
246 } while (nego_get_state(nego) != NEGO_STATE_FINAL);
247 }
248
249 {
250 char buffer[64] = WINPR_C_ARRAY_INIT;
251 WLog_Print(nego->log, WLOG_DEBUG, "Negotiated %s security",
252 nego_protocol_to_str(nego->SelectedProtocol, buffer, sizeof(buffer)));
253 }
254
255 /* update settings with negotiated protocol security */
256 if (!nego_update_settings_from_state(nego, settings))
257 return FALSE;
258
259 if (nego->SelectedProtocol == PROTOCOL_RDP)
260 {
261 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, TRUE))
262 return FALSE;
263
264 if (freerdp_settings_get_uint32(settings, FreeRDP_EncryptionMethods) == 0)
265 {
270 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionMethods,
271 ENCRYPTION_METHOD_40BIT | ENCRYPTION_METHOD_56BIT |
272 ENCRYPTION_METHOD_128BIT | ENCRYPTION_METHOD_FIPS))
273 return FALSE;
274 }
275 }
276
277 /* finally connect security layer (if not already done) */
278 if (!nego_security_connect(nego))
279 {
280 char buffer[64] = WINPR_C_ARRAY_INIT;
281 WLog_Print(nego->log, WLOG_DEBUG, "Failed to connect with %s security",
282 nego_protocol_to_str(nego->SelectedProtocol, buffer, sizeof(buffer)));
283 return FALSE;
284 }
285
286 return TRUE;
287}
288
289BOOL nego_disconnect(rdpNego* nego)
290{
291 WINPR_ASSERT(nego);
292 nego_set_state(nego, NEGO_STATE_INITIAL);
293 return nego_transport_disconnect(nego);
294}
295
296static BOOL nego_try_connect(rdpNego* nego)
297{
298 WINPR_ASSERT(nego);
299
300 switch (nego->SelectedProtocol)
301 {
302 case PROTOCOL_RDSAAD:
303 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_RDSAAD");
304 nego->SecurityConnected = transport_connect_aad(nego->transport);
305 break;
306 case PROTOCOL_RDSTLS:
307 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_RDSTLS");
308 nego->SecurityConnected = transport_connect_rdstls(nego->transport);
309 break;
310 case PROTOCOL_HYBRID:
311 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_HYBRID");
312 nego->SecurityConnected = transport_connect_nla(nego->transport, FALSE);
313 break;
314 case PROTOCOL_HYBRID_EX:
315 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_HYBRID_EX");
316 nego->SecurityConnected = transport_connect_nla(nego->transport, TRUE);
317 break;
318 case PROTOCOL_SSL:
319 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_SSL");
320 nego->SecurityConnected = transport_connect_tls(nego->transport);
321 break;
322 case PROTOCOL_RDP:
323 WLog_Print(nego->log, WLOG_DEBUG, "nego_security_connect with PROTOCOL_RDP");
324 nego->SecurityConnected = transport_connect_rdp(nego->transport);
325 break;
326 default:
327 WLog_Print(nego->log, WLOG_ERROR,
328 "cannot connect security layer because no protocol has been selected yet.");
329 return FALSE;
330 }
331 return nego->SecurityConnected;
332}
333
334/* connect to selected security layer */
335BOOL nego_security_connect(rdpNego* nego)
336{
337 WINPR_ASSERT(nego);
338 if (!nego->TcpConnected)
339 {
340 nego->SecurityConnected = FALSE;
341 }
342 else if (!nego->SecurityConnected)
343 {
344 if (!nego_try_connect(nego))
345 return FALSE;
346 }
347
348 return nego->SecurityConnected;
349}
350
351static BOOL nego_tcp_connect(rdpNego* nego)
352{
353 rdpContext* context = nullptr;
354 WINPR_ASSERT(nego);
355 if (!nego->TcpConnected)
356 {
357 UINT32 TcpConnectTimeout = 0;
358
359 context = transport_get_context(nego->transport);
360 WINPR_ASSERT(context);
361
362 TcpConnectTimeout =
363 freerdp_settings_get_uint32(context->settings, FreeRDP_TcpConnectTimeout);
364
365 if (nego->GatewayEnabled)
366 {
367 if (nego->GatewayBypassLocal)
368 {
369 /* Attempt a direct connection first, and then fallback to using the gateway */
370 WLog_Print(
371 nego->log, WLOG_INFO,
372 "Detecting if host can be reached locally. - This might take some time.");
373 WLog_Print(nego->log, WLOG_INFO,
374 "To disable auto detection use /gateway-usage-method:direct");
375 transport_set_gateway_enabled(nego->transport, FALSE);
376 nego->TcpConnected = transport_connect(nego->transport, nego->hostname, nego->port,
377 TcpConnectTimeout);
378 }
379
380 if (!nego->TcpConnected)
381 {
382 transport_set_gateway_enabled(nego->transport, TRUE);
383 nego->TcpConnected = transport_connect(nego->transport, nego->hostname, nego->port,
384 TcpConnectTimeout);
385 }
386 }
387 else if (nego->ConnectChildSession)
388 {
389 nego->TcpConnected = transport_connect_childsession(nego->transport);
390 }
391 else
392 {
393 nego->TcpConnected =
394 transport_connect(nego->transport, nego->hostname, nego->port, TcpConnectTimeout);
395 }
396 }
397
398 return nego->TcpConnected;
399}
400
409BOOL nego_transport_connect(rdpNego* nego)
410{
411 WINPR_ASSERT(nego);
412 if (!nego_tcp_connect(nego))
413 return FALSE;
414
415 if (nego->TcpConnected && !nego->NegotiateSecurityLayer)
416 return nego_security_connect(nego);
417
418 return nego->TcpConnected;
419}
420
429BOOL nego_transport_disconnect(rdpNego* nego)
430{
431 WINPR_ASSERT(nego);
432 if (nego->TcpConnected)
433 transport_disconnect(nego->transport);
434
435 nego->TcpConnected = FALSE;
436 nego->SecurityConnected = FALSE;
437 return TRUE;
438}
439
448BOOL nego_send_preconnection_pdu(rdpNego* nego)
449{
450 wStream* s = nullptr;
451 UINT32 cbSize = 0;
452 UINT16 cchPCB = 0;
453 WCHAR* wszPCB = nullptr;
454
455 WINPR_ASSERT(nego);
456
457 WLog_Print(nego->log, WLOG_DEBUG, "Sending preconnection PDU");
458
459 if (!nego_tcp_connect(nego))
460 return FALSE;
461
462 /* it's easier to always send the version 2 PDU, and it's just 2 bytes overhead */
463 cbSize = PRECONNECTION_PDU_V2_MIN_SIZE;
464
465 if (nego->PreconnectionBlob)
466 {
467 size_t len = 0;
468 wszPCB = ConvertUtf8ToWCharAlloc(nego->PreconnectionBlob, &len);
469 if (len > UINT16_MAX - 1)
470 {
471 free(wszPCB);
472 return FALSE;
473 }
474 cchPCB = (UINT16)len;
475 cchPCB += 1; /* zero-termination */
476 cbSize += cchPCB * sizeof(WCHAR);
477 }
478
479 s = Stream_New(nullptr, cbSize);
480
481 if (!s)
482 {
483 free(wszPCB);
484 WLog_Print(nego->log, WLOG_ERROR, "Stream_New failed!");
485 return FALSE;
486 }
487
488 Stream_Write_UINT32(s, cbSize); /* cbSize */
489 Stream_Write_UINT32(s, 0); /* Flags */
490 Stream_Write_UINT32(s, PRECONNECTION_PDU_V2); /* Version */
491 Stream_Write_UINT32(s, nego->PreconnectionId); /* Id */
492 Stream_Write_UINT16(s, cchPCB); /* cchPCB */
493
494 if (wszPCB)
495 {
496 Stream_Write(s, wszPCB, cchPCB * sizeof(WCHAR)); /* wszPCB */
497 free(wszPCB);
498 }
499
500 Stream_SealLength(s);
501
502 if (transport_write(nego->transport, s) < 0)
503 {
504 Stream_Free(s, TRUE);
505 return FALSE;
506 }
507
508 Stream_Free(s, TRUE);
509 return TRUE;
510}
511
512static void nego_attempt_rdstls(rdpNego* nego)
513{
514 WINPR_ASSERT(nego);
515 nego->RequestedProtocols = PROTOCOL_RDSTLS | PROTOCOL_SSL;
516 WLog_Print(nego->log, WLOG_DEBUG, "Attempting RDSTLS security");
517
518 if (!nego_transport_connect(nego))
519 {
520 nego_set_state(nego, NEGO_STATE_FAIL);
521 return;
522 }
523
524 if (!nego_send_negotiation_request(nego))
525 {
526 nego_set_state(nego, NEGO_STATE_FAIL);
527 return;
528 }
529
530 if (!nego_recv_response(nego))
531 {
532 nego_set_state(nego, NEGO_STATE_FAIL);
533 return;
534 }
535
536 WLog_Print(nego->log, WLOG_DEBUG, "state: %s", nego_state_string(nego_get_state(nego)));
537
538 if (nego_get_state(nego) != NEGO_STATE_FINAL)
539 {
540 nego_transport_disconnect(nego);
541
542 if (nego->EnabledProtocols[PROTOCOL_HYBRID_EX])
543 nego_set_state(nego, NEGO_STATE_EXT);
544 else if (nego->EnabledProtocols[PROTOCOL_HYBRID])
545 nego_set_state(nego, NEGO_STATE_NLA);
546 else if (nego->EnabledProtocols[PROTOCOL_SSL])
547 nego_set_state(nego, NEGO_STATE_TLS);
548 else if (nego->EnabledProtocols[PROTOCOL_RDP])
549 nego_set_state(nego, NEGO_STATE_RDP);
550 else
551 nego_set_state(nego, NEGO_STATE_FAIL);
552 }
553}
554
555static void nego_attempt_rdsaad(rdpNego* nego)
556{
557 WINPR_ASSERT(nego);
558 nego->RequestedProtocols = PROTOCOL_RDSAAD;
559 WLog_Print(nego->log, WLOG_DEBUG, "Attempting RDS AAD Auth security");
560
561 if (!nego_transport_connect(nego))
562 {
563 nego_set_state(nego, NEGO_STATE_FAIL);
564 return;
565 }
566
567 if (!nego_send_negotiation_request(nego))
568 {
569 nego_set_state(nego, NEGO_STATE_FAIL);
570 return;
571 }
572
573 if (!nego_recv_response(nego))
574 {
575 nego_set_state(nego, NEGO_STATE_FAIL);
576 return;
577 }
578
579 WLog_Print(nego->log, WLOG_DEBUG, "state: %s", nego_state_string(nego_get_state(nego)));
580
581 if (nego_get_state(nego) != NEGO_STATE_FINAL)
582 {
583 nego_transport_disconnect(nego);
584
585 if (nego->EnabledProtocols[PROTOCOL_HYBRID_EX])
586 nego_set_state(nego, NEGO_STATE_EXT);
587 else if (nego->EnabledProtocols[PROTOCOL_HYBRID])
588 nego_set_state(nego, NEGO_STATE_NLA);
589 else if (nego->EnabledProtocols[PROTOCOL_SSL])
590 nego_set_state(nego, NEGO_STATE_TLS);
591 else if (nego->EnabledProtocols[PROTOCOL_RDP])
592 nego_set_state(nego, NEGO_STATE_RDP);
593 else
594 nego_set_state(nego, NEGO_STATE_FAIL);
595 }
596}
597
598static void nego_attempt_ext(rdpNego* nego)
599{
600 WINPR_ASSERT(nego);
601 nego->RequestedProtocols = PROTOCOL_HYBRID | PROTOCOL_SSL | PROTOCOL_HYBRID_EX;
602 WLog_Print(nego->log, WLOG_DEBUG, "Attempting NLA extended security");
603
604 if (!nego_transport_connect(nego))
605 {
606 nego_set_state(nego, NEGO_STATE_FAIL);
607 return;
608 }
609
610 if (!nego_send_negotiation_request(nego))
611 {
612 nego_set_state(nego, NEGO_STATE_FAIL);
613 return;
614 }
615
616 if (!nego_recv_response(nego))
617 {
618 nego_set_state(nego, NEGO_STATE_FAIL);
619 return;
620 }
621
622 WLog_Print(nego->log, WLOG_DEBUG, "state: %s", nego_state_string(nego_get_state(nego)));
623
624 if (nego_get_state(nego) != NEGO_STATE_FINAL)
625 {
626 nego_transport_disconnect(nego);
627
628 if (nego->EnabledProtocols[PROTOCOL_HYBRID])
629 nego_set_state(nego, NEGO_STATE_NLA);
630 else if (nego->EnabledProtocols[PROTOCOL_SSL])
631 nego_set_state(nego, NEGO_STATE_TLS);
632 else if (nego->EnabledProtocols[PROTOCOL_RDP])
633 nego_set_state(nego, NEGO_STATE_RDP);
634 else
635 nego_set_state(nego, NEGO_STATE_FAIL);
636 }
637}
638
639static void nego_attempt_nla(rdpNego* nego)
640{
641 WINPR_ASSERT(nego);
642 nego->RequestedProtocols = PROTOCOL_HYBRID | PROTOCOL_SSL;
643 WLog_Print(nego->log, WLOG_DEBUG, "Attempting NLA security");
644
645 if (!nego_transport_connect(nego))
646 {
647 nego_set_state(nego, NEGO_STATE_FAIL);
648 return;
649 }
650
651 if (!nego_send_negotiation_request(nego))
652 {
653 nego_set_state(nego, NEGO_STATE_FAIL);
654 return;
655 }
656
657 if (!nego_recv_response(nego))
658 {
659 nego_set_state(nego, NEGO_STATE_FAIL);
660 return;
661 }
662
663 WLog_Print(nego->log, WLOG_DEBUG, "state: %s", nego_state_string(nego_get_state(nego)));
664
665 if (nego_get_state(nego) != NEGO_STATE_FINAL)
666 {
667 nego_transport_disconnect(nego);
668
669 if (nego->EnabledProtocols[PROTOCOL_SSL])
670 nego_set_state(nego, NEGO_STATE_TLS);
671 else if (nego->EnabledProtocols[PROTOCOL_RDP])
672 nego_set_state(nego, NEGO_STATE_RDP);
673 else
674 nego_set_state(nego, NEGO_STATE_FAIL);
675 }
676}
677
678static void nego_attempt_tls(rdpNego* nego)
679{
680 WINPR_ASSERT(nego);
681 nego->RequestedProtocols = PROTOCOL_SSL;
682 WLog_Print(nego->log, WLOG_DEBUG, "Attempting TLS security");
683
684 if (!nego_transport_connect(nego))
685 {
686 nego_set_state(nego, NEGO_STATE_FAIL);
687 return;
688 }
689
690 if (!nego_send_negotiation_request(nego))
691 {
692 nego_set_state(nego, NEGO_STATE_FAIL);
693 return;
694 }
695
696 if (!nego_recv_response(nego))
697 {
698 nego_set_state(nego, NEGO_STATE_FAIL);
699 return;
700 }
701
702 if (nego_get_state(nego) != NEGO_STATE_FINAL)
703 {
704 nego_transport_disconnect(nego);
705
706 if (nego->EnabledProtocols[PROTOCOL_RDP])
707 nego_set_state(nego, NEGO_STATE_RDP);
708 else
709 nego_set_state(nego, NEGO_STATE_FAIL);
710 }
711}
712
713static void nego_attempt_rdp(rdpNego* nego)
714{
715 WINPR_ASSERT(nego);
716 nego->RequestedProtocols = PROTOCOL_RDP;
717 WLog_Print(nego->log, WLOG_DEBUG, "Attempting RDP security");
718
719 if (!nego_transport_connect(nego))
720 {
721 nego_set_state(nego, NEGO_STATE_FAIL);
722 return;
723 }
724
725 if (!nego_send_negotiation_request(nego))
726 {
727 nego_set_state(nego, NEGO_STATE_FAIL);
728 return;
729 }
730
731 if (!nego_recv_response(nego))
732 {
733 nego_set_state(nego, NEGO_STATE_FAIL);
734 return;
735 }
736}
737
746BOOL nego_recv_response(rdpNego* nego)
747{
748 int status = 0;
749 wStream* s = nullptr;
750
751 WINPR_ASSERT(nego);
752 s = Stream_New(nullptr, 1024);
753
754 if (!s)
755 {
756 WLog_Print(nego->log, WLOG_ERROR, "Stream_New failed!");
757 return FALSE;
758 }
759
760 status = transport_read_pdu(nego->transport, s);
761
762 if (status < 0)
763 {
764 Stream_Free(s, TRUE);
765 return FALSE;
766 }
767
768 status = nego_recv(nego->transport, s, nego);
769 Stream_Free(s, TRUE);
770
771 return (status >= 0);
772}
773
785int nego_recv(WINPR_ATTR_UNUSED rdpTransport* transport, wStream* s, void* extra)
786{
787 BYTE li = 0;
788 BYTE type = 0;
789 UINT16 length = 0;
790 rdpNego* nego = (rdpNego*)extra;
791
792 WINPR_ASSERT(nego);
793 if (!tpkt_read_header(s, &length))
794 return -1;
795
796 if (!tpdu_read_connection_confirm(s, &li, length))
797 return -1;
798
799 if (li > 6)
800 {
801 /* rdpNegData (optional) */
802 Stream_Read_UINT8(s, type); /* Type */
803
804 switch (type)
805 {
806 case TYPE_RDP_NEG_RSP:
807 if (!nego_process_negotiation_response(nego, s))
808 return -1;
809 {
810 char buffer[64] = WINPR_C_ARRAY_INIT;
811 WLog_Print(
812 nego->log, WLOG_DEBUG, "selected_protocol: %s",
813 nego_protocol_to_str(nego->SelectedProtocol, buffer, sizeof(buffer)));
814 }
815
816 /* enhanced security selected ? */
817
818 if (nego->SelectedProtocol)
819 {
820 if ((nego->SelectedProtocol == PROTOCOL_RDSAAD) &&
821 (!nego->EnabledProtocols[PROTOCOL_RDSAAD]))
822 {
823 nego_set_state(nego, NEGO_STATE_FAIL);
824 }
825 if ((nego->SelectedProtocol == PROTOCOL_HYBRID) &&
826 (!nego->EnabledProtocols[PROTOCOL_HYBRID]))
827 {
828 nego_set_state(nego, NEGO_STATE_FAIL);
829 }
830
831 if ((nego->SelectedProtocol == PROTOCOL_SSL) &&
832 (!nego->EnabledProtocols[PROTOCOL_SSL]))
833 {
834 nego_set_state(nego, NEGO_STATE_FAIL);
835 }
836 }
837 else if (!nego->EnabledProtocols[PROTOCOL_RDP])
838 {
839 nego_set_state(nego, NEGO_STATE_FAIL);
840 }
841
842 break;
843
844 case TYPE_RDP_NEG_FAILURE:
845 if (!nego_process_negotiation_failure(nego, s))
846 return -1;
847 break;
848 default:
849 return -1;
850 }
851 }
852 else if (li == 6)
853 {
854 WLog_Print(nego->log, WLOG_DEBUG, "no rdpNegData");
855
856 if (!nego->EnabledProtocols[PROTOCOL_RDP])
857 nego_set_state(nego, NEGO_STATE_FAIL);
858 else
859 nego_set_state(nego, NEGO_STATE_FINAL);
860 }
861 else
862 {
863 WLog_Print(nego->log, WLOG_ERROR, "invalid negotiation response");
864 nego_set_state(nego, NEGO_STATE_FAIL);
865 }
866
867 if (!tpkt_ensure_stream_consumed(nego->log, s, length))
868 return -1;
869 return 0;
870}
871
877static BOOL nego_read_request_token_or_cookie(rdpNego* nego, wStream* s)
878{
879 /* routingToken and cookie are optional and mutually exclusive!
880 *
881 * routingToken (variable): An optional and variable-length routing
882 * token (used for load balancing) terminated by a 0x0D0A two-byte
883 * sequence: (check [MSFT-SDLBTS] for details!)
884 * Cookie:[space]msts=[ip address].[port].[reserved][\x0D\x0A]
885 * tsv://MS Terminal Services Plugin.1.[\x0D\x0A]
886 *
887 * cookie (variable): An optional and variable-length ANSI character
888 * string terminated by a 0x0D0A two-byte sequence:
889 * Cookie:[space]mstshash=[ANSISTRING][\x0D\x0A]
890 */
891 UINT16 crlf = 0;
892 BOOL result = FALSE;
893 BOOL isToken = FALSE;
894 size_t remain = Stream_GetRemainingLength(s);
895
896 WINPR_ASSERT(nego);
897
898 const char* str = Stream_ConstPointer(s);
899 const size_t pos = Stream_GetPosition(s);
900
901 /* minimum length for token is 15 */
902 if (remain < 15)
903 return TRUE;
904
905 if (memcmp(Stream_ConstPointer(s), "Cookie: mstshash=", 17) != 0)
906 {
907 if (memcmp(Stream_ConstPointer(s), "Cookie: msts=", 13) != 0)
908 {
909 if (memcmp(Stream_ConstPointer(s), "tsv:", 4) != 0)
910 {
911 if (memcmp(Stream_ConstPointer(s), "mth://", 6) != 0)
912 {
913 /* remaining bytes are neither a token nor a cookie */
914 return TRUE;
915 }
916 }
917 }
918 isToken = TRUE;
919 }
920 else
921 {
922 /* not a token, minimum length for cookie is 19 */
923 if (remain < 19)
924 return TRUE;
925
926 Stream_Seek(s, 17);
927 }
928
929 while (Stream_GetRemainingLength(s) >= 2)
930 {
931 Stream_Read_UINT16(s, crlf);
932
933 if (crlf == 0x0A0D)
934 break;
935
936 Stream_Rewind(s, 1);
937 }
938
939 if (crlf == 0x0A0D)
940 {
941 Stream_Rewind(s, 2);
942 const size_t len = Stream_GetPosition(s) - pos;
943 Stream_Write_UINT16(s, 0);
944
945 if (len > UINT32_MAX)
946 return FALSE;
947
948 if (strnlen(str, len) == len)
949 {
950 if (isToken)
951 result = nego_set_routing_token(nego, str, (UINT32)len);
952 else
953 result = nego_set_cookie(nego, str);
954 }
955 }
956
957 if (!result)
958 {
959 Stream_SetPosition(s, pos);
960 WLog_Print(nego->log, WLOG_ERROR, "invalid %s received",
961 isToken ? "routing token" : "cookie");
962 }
963 else
964 {
965 WLog_Print(nego->log, WLOG_DEBUG, "received %s [%s]", isToken ? "routing token" : "cookie",
966 str);
967 }
968
969 return result;
970}
971
981BOOL nego_read_request(rdpNego* nego, wStream* s)
982{
983 BYTE li = 0;
984 BYTE type = 0;
985 UINT16 length = 0;
986
987 WINPR_ASSERT(nego);
988 WINPR_ASSERT(s);
989
990 if (!tpkt_read_header(s, &length))
991 return FALSE;
992
993 if (!tpdu_read_connection_request(s, &li, length))
994 return FALSE;
995
996 if (li != Stream_GetRemainingLength(s) + 6)
997 {
998 WLog_Print(nego->log, WLOG_ERROR, "Incorrect TPDU length indicator.");
999 return FALSE;
1000 }
1001
1002 if (!nego_read_request_token_or_cookie(nego, s))
1003 {
1004 WLog_Print(nego->log, WLOG_ERROR, "Failed to parse routing token or cookie.");
1005 return FALSE;
1006 }
1007
1008 if (Stream_GetRemainingLength(s) >= 8)
1009 {
1010 /* rdpNegData (optional) */
1011 Stream_Read_UINT8(s, type); /* Type */
1012
1013 if (type != TYPE_RDP_NEG_REQ)
1014 {
1015 WLog_Print(nego->log, WLOG_ERROR, "Incorrect negotiation request type %" PRIu8 "",
1016 type);
1017 return FALSE;
1018 }
1019
1020 if (!nego_process_negotiation_request(nego, s))
1021 return FALSE;
1022 }
1023
1024 return tpkt_ensure_stream_consumed(nego->log, s, length);
1025}
1026
1033void nego_send(rdpNego* nego)
1034{
1035 WINPR_ASSERT(nego);
1036
1037 switch (nego_get_state(nego))
1038 {
1039 case NEGO_STATE_AAD:
1040 nego_attempt_rdsaad(nego);
1041 break;
1042 case NEGO_STATE_RDSTLS:
1043 nego_attempt_rdstls(nego);
1044 break;
1045 case NEGO_STATE_EXT:
1046 nego_attempt_ext(nego);
1047 break;
1048 case NEGO_STATE_NLA:
1049 nego_attempt_nla(nego);
1050 break;
1051 case NEGO_STATE_TLS:
1052 nego_attempt_tls(nego);
1053 break;
1054 case NEGO_STATE_RDP:
1055 nego_attempt_rdp(nego);
1056 break;
1057 default:
1058 WLog_Print(nego->log, WLOG_ERROR, "invalid negotiation state for sending");
1059 break;
1060 }
1061}
1062
1073BOOL nego_send_negotiation_request(rdpNego* nego)
1074{
1075 BOOL rc = FALSE;
1076 wStream* s = nullptr;
1077 size_t length = 0;
1078 size_t bm = 0;
1079 size_t em = 0;
1080 BYTE flags = 0;
1081 size_t cookie_length = 0;
1082 s = Stream_New(nullptr, 512);
1083
1084 WINPR_ASSERT(nego);
1085 if (!s)
1086 {
1087 WLog_Print(nego->log, WLOG_ERROR, "Stream_New failed!");
1088 return FALSE;
1089 }
1090
1091 length = TPDU_CONNECTION_REQUEST_LENGTH;
1092 bm = Stream_GetPosition(s);
1093 Stream_Seek(s, length);
1094
1095 if (nego->RoutingToken)
1096 {
1097 Stream_Write(s, nego->RoutingToken, nego->RoutingTokenLength);
1098
1099 /* Ensure Routing Token is correctly terminated - may already be present in string */
1100
1101 if ((nego->RoutingTokenLength > 2) &&
1102 (nego->RoutingToken[nego->RoutingTokenLength - 2] == 0x0D) &&
1103 (nego->RoutingToken[nego->RoutingTokenLength - 1] == 0x0A))
1104 {
1105 WLog_Print(nego->log, WLOG_DEBUG,
1106 "Routing token looks correctly terminated - use verbatim");
1107 length += nego->RoutingTokenLength;
1108 }
1109 else
1110 {
1111 WLog_Print(nego->log, WLOG_DEBUG, "Adding terminating CRLF to routing token");
1112 Stream_Write_UINT8(s, 0x0D); /* CR */
1113 Stream_Write_UINT8(s, 0x0A); /* LF */
1114 length += nego->RoutingTokenLength + 2;
1115 }
1116 }
1117 else if (nego->cookie)
1118 {
1119 cookie_length = strlen(nego->cookie);
1120
1121 if (cookie_length > nego->CookieMaxLength)
1122 cookie_length = nego->CookieMaxLength;
1123
1124 Stream_Write(s, "Cookie: mstshash=", 17);
1125 Stream_Write(s, (BYTE*)nego->cookie, cookie_length);
1126 Stream_Write_UINT8(s, 0x0D); /* CR */
1127 Stream_Write_UINT8(s, 0x0A); /* LF */
1128 length += cookie_length + 19;
1129 }
1130
1131 {
1132 char buffer[64] = WINPR_C_ARRAY_INIT;
1133 WLog_Print(nego->log, WLOG_DEBUG, "RequestedProtocols: %s",
1134 nego_protocol_to_str(nego->RequestedProtocols, buffer, sizeof(buffer)));
1135 }
1136
1137 if ((nego->RequestedProtocols > PROTOCOL_RDP) || (nego->sendNegoData))
1138 {
1139 /* RDP_NEG_DATA must be present for TLS and NLA */
1140 if (nego->RestrictedAdminModeRequired)
1141 flags |= RESTRICTED_ADMIN_MODE_REQUIRED;
1142
1143 if (nego->RemoteCredsGuardRequired)
1144 flags |= REDIRECTED_AUTHENTICATION_MODE_REQUIRED;
1145
1146 Stream_Write_UINT8(s, TYPE_RDP_NEG_REQ);
1147 Stream_Write_UINT8(s, flags);
1148 Stream_Write_UINT16(s, 8); /* RDP_NEG_DATA length (8) */
1149 Stream_Write_UINT32(s, nego->RequestedProtocols); /* requestedProtocols */
1150 length += 8;
1151 }
1152
1153 if (length > UINT16_MAX)
1154 goto fail;
1155
1156 em = Stream_GetPosition(s);
1157 Stream_SetPosition(s, bm);
1158 if (!tpkt_write_header(s, (UINT16)length))
1159 goto fail;
1160 if (!tpdu_write_connection_request(s, (UINT16)length - 5))
1161 goto fail;
1162 Stream_SetPosition(s, em);
1163 Stream_SealLength(s);
1164 rc = (transport_write(nego->transport, s) >= 0);
1165fail:
1166 Stream_Free(s, TRUE);
1167 return rc;
1168}
1169
1170static BOOL nego_process_correlation_info(WINPR_ATTR_UNUSED rdpNego* nego, wStream* s)
1171{
1172 UINT8 type = 0;
1173 UINT8 flags = 0;
1174 UINT16 length = 0;
1175 BYTE correlationId[16] = WINPR_C_ARRAY_INIT;
1176
1177 if (!Stream_CheckAndLogRequiredLengthWLog(nego->log, s, 36))
1178 {
1179 WLog_Print(nego->log, WLOG_ERROR,
1180 "RDP_NEG_REQ::flags CORRELATION_INFO_PRESENT but data is missing");
1181 return FALSE;
1182 }
1183
1184 Stream_Read_UINT8(s, type);
1185 if (type != TYPE_RDP_CORRELATION_INFO)
1186 {
1187 WLog_Print(nego->log, WLOG_ERROR,
1188 "(RDP_NEG_CORRELATION_INFO::type != TYPE_RDP_CORRELATION_INFO");
1189 return FALSE;
1190 }
1191 Stream_Read_UINT8(s, flags);
1192 if (flags != 0)
1193 {
1194 WLog_Print(nego->log, WLOG_ERROR, "(RDP_NEG_CORRELATION_INFO::flags != 0");
1195 return FALSE;
1196 }
1197 Stream_Read_UINT16(s, length);
1198 if (length != 36)
1199 {
1200 WLog_Print(nego->log, WLOG_ERROR, "(RDP_NEG_CORRELATION_INFO::length != 36");
1201 return FALSE;
1202 }
1203
1204 Stream_Read(s, correlationId, sizeof(correlationId));
1205 if ((correlationId[0] == 0x00) || (correlationId[0] == 0xF4))
1206 {
1207 WLog_Print(nego->log, WLOG_ERROR,
1208 "(RDP_NEG_CORRELATION_INFO::correlationId[0] has invalid value 0x%02" PRIx8,
1209 correlationId[0]);
1210 return FALSE;
1211 }
1212 for (size_t x = 0; x < ARRAYSIZE(correlationId); x++)
1213 {
1214 if (correlationId[x] == 0x0D)
1215 {
1216 WLog_Print(nego->log, WLOG_ERROR,
1217 "(RDP_NEG_CORRELATION_INFO::correlationId[%" PRIuz
1218 "] has invalid value 0x%02" PRIx8,
1219 x, correlationId[x]);
1220 return FALSE;
1221 }
1222 }
1223 Stream_Seek(s, 16); /* skip reserved bytes */
1224
1225 WLog_Print(nego->log, WLOG_INFO,
1226 "RDP_NEG_CORRELATION_INFO::correlationId = { %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8
1227 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8
1228 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8 ", %02" PRIx8
1229 ", %02" PRIx8 " }",
1230 correlationId[0], correlationId[1], correlationId[2], correlationId[3],
1231 correlationId[4], correlationId[5], correlationId[6], correlationId[7],
1232 correlationId[8], correlationId[9], correlationId[10], correlationId[11],
1233 correlationId[12], correlationId[13], correlationId[14], correlationId[15]);
1234 return TRUE;
1235}
1236
1237BOOL nego_process_negotiation_request(rdpNego* nego, wStream* s)
1238{
1239 BYTE flags = 0;
1240 UINT16 length = 0;
1241
1242 WINPR_ASSERT(nego);
1243 WINPR_ASSERT(s);
1244
1245 if (!Stream_CheckAndLogRequiredLengthWLog(nego->log, s, 7))
1246 return FALSE;
1247 Stream_Read_UINT8(s, flags);
1248 if ((flags & ~(RESTRICTED_ADMIN_MODE_REQUIRED | REDIRECTED_AUTHENTICATION_MODE_REQUIRED |
1249 CORRELATION_INFO_PRESENT)) != 0)
1250 {
1251 WLog_Print(nego->log, WLOG_ERROR, "RDP_NEG_REQ::flags invalid value 0x%02" PRIx8, flags);
1252 return FALSE;
1253 }
1254 if (flags & RESTRICTED_ADMIN_MODE_REQUIRED)
1255 {
1256 if (nego->RestrictedAdminModeSupported)
1257 {
1258 WLog_Print(nego->log, WLOG_INFO, "RDP_NEG_REQ::flags RESTRICTED_ADMIN_MODE_REQUIRED");
1259 }
1260 else
1261 {
1262 WLog_Print(nego->log, WLOG_ERROR,
1263 "RDP_NEG_REQ::flags RESTRICTED_ADMIN_MODE_REQUIRED but disabled");
1264 return FALSE;
1265 }
1266 }
1267
1268 if (flags & REDIRECTED_AUTHENTICATION_MODE_REQUIRED)
1269 {
1270 if (nego->RemoteCredsGuardSupported)
1271 {
1272 WLog_Print(nego->log, WLOG_INFO,
1273 "RDP_NEG_REQ::flags REDIRECTED_AUTHENTICATION_MODE_REQUIRED");
1274 nego->RemoteCredsGuardActive = TRUE;
1275 }
1276 else
1277 {
1278 /* If both RESTRICTED_ADMIN_MODE_REQUIRED and REDIRECTED_AUTHENTICATION_MODE_REQUIRED
1279 * are set, it means one or the other. In this case, don't fail if Remote Guard isn't
1280 * available. */
1281 if (flags & RESTRICTED_ADMIN_MODE_REQUIRED)
1282 {
1283 WLog_Print(nego->log, WLOG_INFO,
1284 "RDP_NEG_REQ::flags REDIRECTED_AUTHENTICATION_MODE_REQUIRED ignored.");
1285 }
1286 else
1287 {
1288 WLog_Print(
1289 nego->log, WLOG_ERROR,
1290 "RDP_NEG_REQ::flags REDIRECTED_AUTHENTICATION_MODE_REQUIRED but disabled");
1291 return FALSE;
1292 }
1293 }
1294 }
1295
1296 Stream_Read_UINT16(s, length);
1297 if (length != 8)
1298 {
1299 WLog_Print(nego->log, WLOG_ERROR, "RDP_NEG_REQ::length != 8");
1300 return FALSE;
1301 }
1302 Stream_Read_UINT32(s, nego->RequestedProtocols);
1303
1304 if (flags & CORRELATION_INFO_PRESENT)
1305 {
1306 if (!nego_process_correlation_info(nego, s))
1307 return FALSE;
1308 }
1309
1310 {
1311 char buffer[64] = WINPR_C_ARRAY_INIT;
1312 WLog_Print(nego->log, WLOG_DEBUG, "RDP_NEG_REQ: RequestedProtocol: %s",
1313 nego_protocol_to_str(nego->RequestedProtocols, buffer, sizeof(buffer)));
1314 }
1315 nego_set_state(nego, NEGO_STATE_FINAL);
1316 return TRUE;
1317}
1318
1319static const char* nego_rdp_neg_rsp_flags_str(UINT32 flags)
1320{
1321 const uint32_t mask =
1322 (EXTENDED_CLIENT_DATA_SUPPORTED | DYNVC_GFX_PROTOCOL_SUPPORTED | RDP_NEGRSP_RESERVED |
1323 RESTRICTED_ADMIN_MODE_SUPPORTED | REDIRECTED_AUTHENTICATION_MODE_SUPPORTED);
1324 static char buffer[1024] = WINPR_C_ARRAY_INIT;
1325
1326 (void)_snprintf(buffer, ARRAYSIZE(buffer), "[0x%02" PRIx32 "] ", flags);
1327 if (flags & EXTENDED_CLIENT_DATA_SUPPORTED)
1328 winpr_str_append("EXTENDED_CLIENT_DATA_SUPPORTED", buffer, sizeof(buffer), "|");
1329 if (flags & DYNVC_GFX_PROTOCOL_SUPPORTED)
1330 winpr_str_append("DYNVC_GFX_PROTOCOL_SUPPORTED", buffer, sizeof(buffer), "|");
1331 if (flags & RDP_NEGRSP_RESERVED)
1332 winpr_str_append("RDP_NEGRSP_RESERVED", buffer, sizeof(buffer), "|");
1333 if (flags & RESTRICTED_ADMIN_MODE_SUPPORTED)
1334 winpr_str_append("RESTRICTED_ADMIN_MODE_SUPPORTED", buffer, sizeof(buffer), "|");
1335 if (flags & REDIRECTED_AUTHENTICATION_MODE_SUPPORTED)
1336 winpr_str_append("REDIRECTED_AUTHENTICATION_MODE_SUPPORTED", buffer, sizeof(buffer), "|");
1337 if (flags & ~mask)
1338 {
1339 char buffer2[32] = WINPR_C_ARRAY_INIT;
1340 (void)_snprintf(buffer2, sizeof(buffer2), "UNKNOWN[0x%04" PRIx32 "]", flags & ~mask);
1341 winpr_str_append(buffer2, buffer, sizeof(buffer), "|");
1342 }
1343
1344 return buffer;
1345}
1346
1347BOOL nego_process_negotiation_response(rdpNego* nego, wStream* s)
1348{
1349 UINT16 length = 0;
1350
1351 WINPR_ASSERT(nego);
1352 WINPR_ASSERT(s);
1353
1354 if (!Stream_CheckAndLogRequiredLengthWLog(nego->log, s, 7))
1355 {
1356 nego_set_state(nego, NEGO_STATE_FAIL);
1357 return FALSE;
1358 }
1359
1360 Stream_Read_UINT8(s, nego->flags);
1361 WLog_Print(nego->log, WLOG_DEBUG, "RDP_NEG_RSP::flags = { %s }",
1362 nego_rdp_neg_rsp_flags_str(nego->flags));
1363
1364 Stream_Read_UINT16(s, length);
1365 if (length != 8)
1366 {
1367 WLog_Print(nego->log, WLOG_ERROR, "RDP_NEG_RSP::length != 8");
1368 nego_set_state(nego, NEGO_STATE_FAIL);
1369 return FALSE;
1370 }
1371 UINT32 SelectedProtocol = 0;
1372 Stream_Read_UINT32(s, SelectedProtocol);
1373
1374 if (!nego_set_selected_protocol(nego, SelectedProtocol))
1375 return FALSE;
1376 return nego_set_state(nego, NEGO_STATE_FINAL);
1377}
1378
1379static const char* nego_rdp_neg_fail_str(uint32_t what)
1380{
1381 switch (what)
1382 {
1383 case SSL_REQUIRED_BY_SERVER:
1384 return "SSL_REQUIRED_BY_SERVER";
1385 case SSL_NOT_ALLOWED_BY_SERVER:
1386 return "SSL_NOT_ALLOWED_BY_SERVER";
1387 case SSL_CERT_NOT_ON_SERVER:
1388 return "SSL_CERT_NOT_ON_SERVER";
1389 case INCONSISTENT_FLAGS:
1390 return "INCONSISTENT_FLAGS";
1391 case HYBRID_REQUIRED_BY_SERVER:
1392 return "HYBRID_REQUIRED_BY_SERVER";
1393 case SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER:
1394 return "SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER";
1395 default:
1396 return "UNKNOWN";
1397 }
1398}
1399
1400static void nego_disable_all_except(rdpNego* nego, uint32_t what)
1401{
1402 WINPR_ASSERT(nego);
1403
1404 char buffer[32] = WINPR_C_ARRAY_INIT;
1405 WLog_Print(nego->log, WLOG_DEBUG, "Disabling all modes except %s",
1406 nego_protocol_to_str(what, buffer, sizeof(buffer)));
1407
1408 for (size_t x = 0; x < ARRAYSIZE(nego->EnabledProtocols); x++)
1409 {
1410 if (x == what)
1411 continue;
1412 nego->EnabledProtocols[x] = FALSE;
1413 }
1414}
1415
1424BOOL nego_process_negotiation_failure(rdpNego* nego, wStream* s)
1425{
1426 BYTE flags = 0;
1427 UINT16 length = 0;
1428
1429 WINPR_ASSERT(nego);
1430 WINPR_ASSERT(s);
1431
1432 WLog_Print(nego->log, WLOG_DEBUG, "RDP_NEG_FAILURE");
1433 if (!Stream_CheckAndLogRequiredLengthWLog(nego->log, s, 7))
1434 return FALSE;
1435
1436 Stream_Read_UINT8(s, flags);
1437 if (flags != 0)
1438 {
1439 WLog_Print(nego->log, WLOG_ERROR, "RDP_NEG_FAILURE::flags = 0x%02" PRIx8, flags);
1440 return FALSE;
1441 }
1442 Stream_Read_UINT16(s, length);
1443 if (length != 8)
1444 {
1445 WLog_Print(nego->log, WLOG_ERROR, "RDP_NEG_FAILURE::length != 8");
1446 return FALSE;
1447 }
1448 const uint32_t failureCode = Stream_Get_UINT32(s);
1449 const char* failureStr = nego_rdp_neg_fail_str(failureCode);
1450 DWORD level = WLOG_WARN;
1451 switch (failureCode)
1452 {
1453 case SSL_REQUIRED_BY_SERVER:
1454 nego_disable_all_except(nego, PROTOCOL_SSL);
1455 break;
1456
1457 case SSL_NOT_ALLOWED_BY_SERVER:
1458 nego_disable_all_except(nego, PROTOCOL_RDP);
1459 nego->sendNegoData = TRUE;
1460 break;
1461
1462 case SSL_CERT_NOT_ON_SERVER:
1463 level = WLOG_ERROR;
1464 nego->sendNegoData = TRUE;
1465 break;
1466
1467 case INCONSISTENT_FLAGS:
1468 level = WLOG_ERROR;
1469 break;
1470
1471 case HYBRID_REQUIRED_BY_SERVER:
1472 nego_disable_all_except(nego, PROTOCOL_HYBRID);
1473 break;
1474
1475 default:
1476 level = WLOG_ERROR;
1477 break;
1478 }
1479
1480 WLog_Print(nego->log, level, "Error: %s [0x%08" PRIx32 "]", failureStr, failureCode);
1481 nego_set_state(nego, NEGO_STATE_FAIL);
1482 return TRUE;
1483}
1484
1490BOOL nego_send_negotiation_response(rdpNego* nego)
1491{
1492 UINT16 length = 0;
1493 size_t bm = 0;
1494 size_t em = 0;
1495 BOOL status = 0;
1496 wStream* s = nullptr;
1497 BYTE flags = 0;
1498 rdpContext* context = nullptr;
1499 rdpSettings* settings = nullptr;
1500
1501 WINPR_ASSERT(nego);
1502 context = transport_get_context(nego->transport);
1503 WINPR_ASSERT(context);
1504
1505 settings = context->settings;
1506 WINPR_ASSERT(settings);
1507
1508 s = Stream_New(nullptr, 512);
1509
1510 if (!s)
1511 {
1512 WLog_Print(nego->log, WLOG_ERROR, "Stream_New failed!");
1513 return FALSE;
1514 }
1515
1516 length = TPDU_CONNECTION_CONFIRM_LENGTH;
1517 bm = Stream_GetPosition(s);
1518 Stream_Seek(s, length);
1519
1520 if (nego->SelectedProtocol & PROTOCOL_FAILED_NEGO)
1521 {
1522 UINT32 errorCode = (nego->SelectedProtocol & ~PROTOCOL_FAILED_NEGO);
1523 flags = 0;
1524 Stream_Write_UINT8(s, TYPE_RDP_NEG_FAILURE);
1525 Stream_Write_UINT8(s, flags); /* flags */
1526 Stream_Write_UINT16(s, 8); /* RDP_NEG_DATA length (8) */
1527 Stream_Write_UINT32(s, errorCode);
1528 length += 8;
1529 }
1530 else
1531 {
1532 flags = EXTENDED_CLIENT_DATA_SUPPORTED;
1533
1534 if (freerdp_settings_get_bool(settings, FreeRDP_SupportGraphicsPipeline))
1535 flags |= DYNVC_GFX_PROTOCOL_SUPPORTED;
1536
1537 if (nego->RestrictedAdminModeSupported)
1538 flags |= RESTRICTED_ADMIN_MODE_SUPPORTED;
1539
1540 if (nego->RemoteCredsGuardSupported)
1541 flags |= REDIRECTED_AUTHENTICATION_MODE_SUPPORTED;
1542
1543 /* RDP_NEG_DATA must be present for TLS, NLA, RDP and RDSTLS */
1544 Stream_Write_UINT8(s, TYPE_RDP_NEG_RSP);
1545 Stream_Write_UINT8(s, flags); /* flags */
1546 Stream_Write_UINT16(s, 8); /* RDP_NEG_DATA length (8) */
1547 Stream_Write_UINT32(s, nego->SelectedProtocol); /* selectedProtocol */
1548 length += 8;
1549 }
1550
1551 em = Stream_GetPosition(s);
1552 Stream_SetPosition(s, bm);
1553 status = tpkt_write_header(s, length);
1554 if (status)
1555 status = tpdu_write_connection_confirm(s, length - 5);
1556
1557 if (status)
1558 {
1559 Stream_SetPosition(s, em);
1560 Stream_SealLength(s);
1561
1562 status = (transport_write(nego->transport, s) >= 0);
1563 }
1564 Stream_Free(s, TRUE);
1565
1566 if (status)
1567 {
1568 /* update settings with negotiated protocol security */
1569 if (!freerdp_settings_set_uint32(settings, FreeRDP_RequestedProtocols,
1570 nego->RequestedProtocols))
1571 return FALSE;
1572 if (!freerdp_settings_set_uint32(settings, FreeRDP_SelectedProtocol,
1573 nego->SelectedProtocol))
1574 return FALSE;
1575
1576 switch (nego->SelectedProtocol)
1577 {
1578 case PROTOCOL_RDP:
1579 if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, FALSE))
1580 return FALSE;
1581 if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE))
1582 return FALSE;
1583 if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, TRUE))
1584 return FALSE;
1585 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, TRUE))
1586 return FALSE;
1587
1588 if (freerdp_settings_get_uint32(settings, FreeRDP_EncryptionLevel) ==
1589 ENCRYPTION_LEVEL_NONE)
1590 {
1595 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
1596 ENCRYPTION_LEVEL_CLIENT_COMPATIBLE))
1597 return FALSE;
1598 }
1599
1600 if (freerdp_settings_get_bool(settings, FreeRDP_LocalConnection))
1601 {
1608 WLog_Print(nego->log, WLOG_INFO,
1609 "Turning off encryption for local peer with standard rdp security");
1610 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
1611 return FALSE;
1612 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
1613 ENCRYPTION_LEVEL_NONE))
1614 return FALSE;
1615 }
1616 else if (!freerdp_settings_get_pointer(settings, FreeRDP_RdpServerRsaKey))
1617 {
1618 WLog_Print(nego->log, WLOG_ERROR, "Missing server certificate");
1619 return FALSE;
1620 }
1621 break;
1622 case PROTOCOL_SSL:
1623 if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, TRUE))
1624 return FALSE;
1625 if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE))
1626 return FALSE;
1627 if (!freerdp_settings_set_bool(settings, FreeRDP_RdstlsSecurity, FALSE))
1628 return FALSE;
1629 if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, FALSE))
1630 return FALSE;
1631 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
1632 return FALSE;
1633
1634 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
1635 ENCRYPTION_LEVEL_NONE))
1636 return FALSE;
1637 break;
1638 case PROTOCOL_HYBRID:
1639 if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, TRUE))
1640 return FALSE;
1641 if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, TRUE))
1642 return FALSE;
1643 if (!freerdp_settings_set_bool(settings, FreeRDP_RdstlsSecurity, FALSE))
1644 return FALSE;
1645 if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, FALSE))
1646 return FALSE;
1647 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
1648 return FALSE;
1649
1650 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
1651 ENCRYPTION_LEVEL_NONE))
1652 return FALSE;
1653 break;
1654 case PROTOCOL_RDSTLS:
1655 if (!freerdp_settings_set_bool(settings, FreeRDP_TlsSecurity, TRUE))
1656 return FALSE;
1657 if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE))
1658 return FALSE;
1659 if (!freerdp_settings_set_bool(settings, FreeRDP_RdstlsSecurity, TRUE))
1660 return FALSE;
1661 if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, FALSE))
1662 return FALSE;
1663 if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
1664 return FALSE;
1665
1666 if (!freerdp_settings_set_uint32(settings, FreeRDP_EncryptionLevel,
1667 ENCRYPTION_LEVEL_NONE))
1668 return FALSE;
1669 break;
1670 default:
1671 break;
1672 }
1673 }
1674
1675 return status;
1676}
1677
1683void nego_init(rdpNego* nego)
1684{
1685 WINPR_ASSERT(nego);
1686 nego_set_state(nego, NEGO_STATE_INITIAL);
1687 nego->RequestedProtocols = PROTOCOL_RDP;
1688 nego->CookieMaxLength = DEFAULT_COOKIE_MAX_LENGTH;
1689 nego->sendNegoData = FALSE;
1690 nego->flags = 0;
1691}
1692
1701rdpNego* nego_new(rdpTransport* transport)
1702{
1703 rdpNego* nego = (rdpNego*)calloc(1, sizeof(rdpNego));
1704
1705 if (!nego)
1706 return nullptr;
1707
1708 nego->log = WLog_Get(NEGO_TAG);
1709 WINPR_ASSERT(nego->log);
1710 nego->transport = transport;
1711 nego_init(nego);
1712 return nego;
1713}
1714
1720void nego_free(rdpNego* nego)
1721{
1722 if (nego)
1723 {
1724 free(nego->RoutingToken);
1725 free(nego->cookie);
1726 free(nego);
1727 }
1728}
1729
1739BOOL nego_set_target(rdpNego* nego, const char* hostname, UINT16 port)
1740{
1741 WINPR_ASSERT(nego);
1742 WINPR_ASSERT(hostname);
1743
1744 nego->hostname = hostname;
1745 nego->port = port;
1746 return TRUE;
1747}
1748
1756void nego_set_negotiation_enabled(rdpNego* nego, BOOL NegotiateSecurityLayer)
1757{
1758 WLog_Print(nego->log, WLOG_DEBUG, "Enabling security layer negotiation: %s",
1759 NegotiateSecurityLayer ? "TRUE" : "FALSE");
1760 nego->NegotiateSecurityLayer = NegotiateSecurityLayer;
1761}
1762
1770void nego_set_restricted_admin_mode_required(rdpNego* nego, BOOL RestrictedAdminModeRequired)
1771{
1772 WLog_Print(nego->log, WLOG_DEBUG, "Enabling restricted admin mode: %s",
1773 RestrictedAdminModeRequired ? "TRUE" : "FALSE");
1774 nego->RestrictedAdminModeRequired = RestrictedAdminModeRequired;
1775}
1776
1777void nego_set_restricted_admin_mode_supported(rdpNego* nego, BOOL enabled)
1778{
1779 WINPR_ASSERT(nego);
1780
1781 nego->RestrictedAdminModeSupported = enabled;
1782}
1783
1784void nego_set_RCG_required(rdpNego* nego, BOOL enabled)
1785{
1786 WINPR_ASSERT(nego);
1787
1788 WLog_Print(nego->log, WLOG_DEBUG, "Enabling remoteCredentialGuards: %s",
1789 enabled ? "TRUE" : "FALSE");
1790 nego->RemoteCredsGuardRequired = enabled;
1791}
1792
1793void nego_set_RCG_supported(rdpNego* nego, BOOL enabled)
1794{
1795 WINPR_ASSERT(nego);
1796
1797 nego->RemoteCredsGuardSupported = enabled;
1798}
1799
1800BOOL nego_get_remoteCredentialGuard(const rdpNego* nego)
1801{
1802 WINPR_ASSERT(nego);
1803
1804 return nego->RemoteCredsGuardActive;
1805}
1806
1807void nego_set_childsession_enabled(rdpNego* nego, BOOL ChildSessionEnabled)
1808{
1809 WINPR_ASSERT(nego);
1810 nego->ConnectChildSession = ChildSessionEnabled;
1811}
1812
1813void nego_set_gateway_enabled(rdpNego* nego, BOOL GatewayEnabled)
1814{
1815 nego->GatewayEnabled = GatewayEnabled;
1816}
1817
1818void nego_set_gateway_bypass_local(rdpNego* nego, BOOL GatewayBypassLocal)
1819{
1820 nego->GatewayBypassLocal = GatewayBypassLocal;
1821}
1822
1829void nego_enable_rdp(rdpNego* nego, BOOL enable_rdp)
1830{
1831 WLog_Print(nego->log, WLOG_DEBUG, "Enabling RDP security: %s", enable_rdp ? "TRUE" : "FALSE");
1832 nego->EnabledProtocols[PROTOCOL_RDP] = enable_rdp;
1833}
1834
1841void nego_enable_tls(rdpNego* nego, BOOL enable_tls)
1842{
1843 WLog_Print(nego->log, WLOG_DEBUG, "Enabling TLS security: %s", enable_tls ? "TRUE" : "FALSE");
1844 nego->EnabledProtocols[PROTOCOL_SSL] = enable_tls;
1845}
1846
1854void nego_enable_nla(rdpNego* nego, BOOL enable_nla)
1855{
1856 WLog_Print(nego->log, WLOG_DEBUG, "Enabling NLA security: %s", enable_nla ? "TRUE" : "FALSE");
1857 nego->EnabledProtocols[PROTOCOL_HYBRID] = enable_nla;
1858}
1859
1867void nego_enable_rdstls(rdpNego* nego, BOOL enable_rdstls)
1868{
1869 WLog_Print(nego->log, WLOG_DEBUG, "Enabling RDSTLS security: %s",
1870 enable_rdstls ? "TRUE" : "FALSE");
1871 nego->EnabledProtocols[PROTOCOL_RDSTLS] = enable_rdstls;
1872}
1873
1881void nego_enable_ext(rdpNego* nego, BOOL enable_ext)
1882{
1883 WLog_Print(nego->log, WLOG_DEBUG, "Enabling NLA extended security: %s",
1884 enable_ext ? "TRUE" : "FALSE");
1885 nego->EnabledProtocols[PROTOCOL_HYBRID_EX] = enable_ext;
1886}
1887
1895void nego_enable_aad(rdpNego* nego, BOOL enable_aad)
1896{
1897 WINPR_ASSERT(nego);
1898 if (aad_is_supported())
1899 {
1900 WLog_Print(nego->log, WLOG_DEBUG, "Enabling RDS AAD security: %s",
1901 enable_aad ? "TRUE" : "FALSE");
1902 nego->EnabledProtocols[PROTOCOL_RDSAAD] = enable_aad;
1903 }
1904 else
1905 {
1906 WLog_Print(nego->log, WLOG_WARN, "This build does not support AAD security, disabling.");
1907 }
1908}
1909
1919BOOL nego_set_routing_token(rdpNego* nego, const void* RoutingToken, DWORD RoutingTokenLength)
1920{
1921 if (RoutingTokenLength == 0)
1922 return FALSE;
1923
1924 free(nego->RoutingToken);
1925 nego->RoutingTokenLength = RoutingTokenLength;
1926 nego->RoutingToken = (BYTE*)malloc(nego->RoutingTokenLength);
1927
1928 if (!nego->RoutingToken)
1929 return FALSE;
1930
1931 CopyMemory(nego->RoutingToken, RoutingToken, nego->RoutingTokenLength);
1932 return TRUE;
1933}
1934
1943BOOL nego_set_cookie(rdpNego* nego, const char* cookie)
1944{
1945 if (nego->cookie)
1946 {
1947 free(nego->cookie);
1948 nego->cookie = nullptr;
1949 }
1950
1951 if (!cookie)
1952 return TRUE;
1953
1954 nego->cookie = _strdup(cookie);
1955
1956 return (nego->cookie != nullptr);
1957}
1958
1965void nego_set_cookie_max_length(rdpNego* nego, UINT32 CookieMaxLength)
1966{
1967 nego->CookieMaxLength = CookieMaxLength;
1968}
1969
1976void nego_set_send_preconnection_pdu(rdpNego* nego, BOOL SendPreconnectionPdu)
1977{
1978 nego->SendPreconnectionPdu = SendPreconnectionPdu;
1979}
1980
1987void nego_set_preconnection_id(rdpNego* nego, UINT32 PreconnectionId)
1988{
1989 nego->PreconnectionId = PreconnectionId;
1990}
1991
1998void nego_set_preconnection_blob(rdpNego* nego, const char* PreconnectionBlob)
1999{
2000 nego->PreconnectionBlob = PreconnectionBlob;
2001}
2002
2003UINT32 nego_get_selected_protocol(const rdpNego* nego)
2004{
2005 if (!nego)
2006 return 0;
2007
2008 return nego->SelectedProtocol;
2009}
2010
2011BOOL nego_set_selected_protocol(rdpNego* nego, UINT32 SelectedProtocol)
2012{
2013 WINPR_ASSERT(nego);
2014 nego->SelectedProtocol = SelectedProtocol;
2015 return TRUE;
2016}
2017
2018UINT32 nego_get_requested_protocols(const rdpNego* nego)
2019{
2020 if (!nego)
2021 return 0;
2022
2023 return nego->RequestedProtocols;
2024}
2025
2026BOOL nego_set_requested_protocols(rdpNego* nego, UINT32 RequestedProtocols)
2027{
2028 if (!nego)
2029 return FALSE;
2030
2031 nego->RequestedProtocols = RequestedProtocols;
2032 return TRUE;
2033}
2034
2035NEGO_STATE nego_get_state(const rdpNego* nego)
2036{
2037 if (!nego)
2038 return NEGO_STATE_FAIL;
2039
2040 return nego->state;
2041}
2042
2043BOOL nego_set_state(rdpNego* nego, NEGO_STATE state)
2044{
2045 WINPR_ASSERT(nego);
2046 nego->state = state;
2047 return TRUE;
2048}
2049
2050SEC_WINNT_AUTH_IDENTITY* nego_get_identity(rdpNego* nego)
2051{
2052 rdpNla* nla = nullptr;
2053 if (!nego)
2054 return nullptr;
2055
2056 nla = transport_get_nla(nego->transport);
2057 return nla_get_identity(nla);
2058}
2059
2060void nego_free_nla(rdpNego* nego)
2061{
2062 if (!nego || !nego->transport)
2063 return;
2064
2065 transport_set_nla(nego->transport, nullptr);
2066}
2067
2068const BYTE* nego_get_routing_token(const rdpNego* nego, DWORD* RoutingTokenLength)
2069{
2070 if (!nego)
2071 return nullptr;
2072 if (RoutingTokenLength)
2073 *RoutingTokenLength = nego->RoutingTokenLength;
2074 return nego->RoutingToken;
2075}
2076
2077const char* nego_protocol_to_str(UINT32 protocol, char* buffer, size_t size)
2078{
2079 const UINT32 mask = ~(PROTOCOL_SSL | PROTOCOL_HYBRID | PROTOCOL_RDSTLS | PROTOCOL_HYBRID_EX |
2080 PROTOCOL_RDSAAD | PROTOCOL_FAILED_NEGO);
2081 char str[48] = WINPR_C_ARRAY_INIT;
2082
2083 if (protocol & PROTOCOL_SSL)
2084 (void)winpr_str_append("SSL", str, sizeof(str), "|");
2085 if (protocol & PROTOCOL_HYBRID)
2086 (void)winpr_str_append("HYBRID", str, sizeof(str), "|");
2087 if (protocol & PROTOCOL_RDSTLS)
2088 (void)winpr_str_append("RDSTLS", str, sizeof(str), "|");
2089 if (protocol & PROTOCOL_HYBRID_EX)
2090 (void)winpr_str_append("HYBRID_EX", str, sizeof(str), "|");
2091 if (protocol & PROTOCOL_RDSAAD)
2092 (void)winpr_str_append("RDSAAD", str, sizeof(str), "|");
2093 if (protocol & PROTOCOL_FAILED_NEGO)
2094 (void)winpr_str_append("NEGO FAILED", str, sizeof(str), "|");
2095
2096 if (protocol == PROTOCOL_RDP)
2097 (void)winpr_str_append("RDP", str, sizeof(str), "");
2098 else if ((protocol & mask) != 0)
2099 (void)winpr_str_append("UNKNOWN", str, sizeof(str), "|");
2100
2101 (void)_snprintf(buffer, size, "[%s][0x%08" PRIx32 "]", str, protocol);
2102 return buffer;
2103}
freerdp_settings_get_pointer
WINPR_ATTR_NODISCARD FREERDP_API const void * freerdp_settings_get_pointer(const rdpSettings *settings, FreeRDP_Settings_Keys_Pointer id)
Returns a immutable pointer settings value.
Definition common/settings.c:1414
freerdp_settings_set_uint32
FREERDP_API BOOL freerdp_settings_set_uint32(rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id, UINT32 val)
Sets a UINT32 settings value.
freerdp_settings_set_bool
FREERDP_API BOOL freerdp_settings_set_bool(rdpSettings *settings, FreeRDP_Settings_Keys_Bool id, BOOL val)
Sets a BOOL settings value.
freerdp_settings_get_uint32
WINPR_ATTR_NODISCARD FREERDP_API UINT32 freerdp_settings_get_uint32(const rdpSettings *settings, FreeRDP_Settings_Keys_UInt32 id)
Returns a UINT32 settings value.
freerdp_settings_get_bool
WINPR_ATTR_NODISCARD FREERDP_API BOOL freerdp_settings_get_bool(const rdpSettings *settings, FreeRDP_Settings_Keys_Bool id)
Returns a boolean settings value.